Legal

Data Processing Addendum

Download PDF

DRAFT — pending legal review. This Addendum is a near-complete engineering draft of the controller-to-processor terms for organizers subject to the GDPR, UK GDPR, or comparable laws, prepared so that counsel can review and finalize rather than author from scratch. Items an attorney must confirm are marked [CONFIRM]. It is not legal advice.

Version: 0.1.1 (pre-release draft) — accompanies Terms of Service 0.1.1 Effective Date: Not yet in effect — pre-launch review Last Updated: June 22, 2026

1. Purpose and Roles

This Data Processing Addendum ("DPA") forms part of and supplements the Vinyaas Terms of Service (the "Agreement") and is incorporated into it for any directory organizer that processes personal data about other people ("Directory Data") subject to the GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), or a comparable law. Where this DPA conflicts with the rest of the Agreement, this DPA controls for the processing of Directory Data.

For Directory Data:

  • the organizer is the data controller ("Controller"); and
  • Holicow LLC ("Holicow", the "Processor") processes Directory Data only on the Controller's documented instructions.

For an organizer's own account, billing, support, and security data, Holicow is an independent controller — see the Privacy Policy. This DPA governs Directory Data only.

2. Definitions

Terms not defined here have the meaning given in the GDPR. "Data Subject", "personal data", "processing", "personal data breach", "special categories of data", and "supervisory authority" have their GDPR meanings. "Data Protection Law" means each privacy/data-protection law applicable to the processing. "SCCs" means the Standard Contractual Clauses annexed to EU Commission Implementing Decision (EU) 2021/914. "UK Addendum" means the UK Information Commissioner's International Data Transfer Addendum to the SCCs, version B1.0. "Sub-Processor" means a third party engaged by Holicow to process Directory Data.

3. Subject Matter and Details of Processing

The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of Data Subjects are set out in Annex I to this DPA. The Controller's instructions for processing are this DPA, the Agreement, and the configuration choices the Controller makes within the Service. The Controller may give additional documented instructions consistent with the Service; Holicow will inform the Controller if, in its reasonable opinion, an instruction infringes Data Protection Law.

4. Controller (Organizer) Obligations and Warranties

The Controller warrants and undertakes that it:

  • has, and will maintain, a valid lawful basis under Article 6 (and, for any special-category data, Article 9) for collecting and listing each Data Subject's personal data, and has provided all required transparency notices and obtained any required consent;
  • will not configure or upload special-category data (Article 9) or data relating to criminal convictions (Article 10) unless it has a lawful basis and has notified Holicow so that appropriate measures can be assessed;
  • will not list any child under 13 (COPPA); and for minors aged 13–17, including minors below the local GDPR digital-consent age (13–16), will maintain a valid lawful basis and any required parent, guardian, school, organizational, or other legally required authorization (the digital-consent age governs a minor's ability to self-consent, not whether the minor may be listed — see Section 4.1);
  • gives Holicow documented, lawful instructions (this DPA, the Agreement, and in-product configuration constitute those instructions); and
  • is responsible for the accuracy, quality, and lawfulness of the Directory Data and the means by which it acquired it.

4.1 Minor Directory Data (Ages 13–17)

Where Directory Data includes minors aged 13–17, the Controller (organizer) remains solely responsible for: determining the lawful basis for the processing; providing the required notices to the minor and parent/guardian; obtaining parent or guardian authorization where required; obtaining any necessary school or organizational authorization; restricting access, purpose, and the use of any sensitive data about the minor; responding to requests from the minor or their parent, guardian, or legal representative; and ensuring that the processing is appropriate to the age, context, and jurisdiction of the data subject, as set out in Section 4 of the Terms of Service. Holicow processes minor Directory Data only on the Controller's instructions and does not verify the Controller's authority, lawful basis, or parental/school authorization.

5. Processor (Holicow) Obligations

Holicow will:

  1. Process only on documented instructions — including with regard to transfers of Directory Data to a third country — unless required by applicable law, in which case Holicow will inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
  2. Confidentiality — ensure persons authorized to process Directory Data are bound by an obligation of confidentiality.
  3. Security (Article 32) — implement and maintain the technical and organizational measures set out in Annex II.
  4. Sub-Processors — engage Sub-Processors only in accordance with Section 7.
  5. Assistance with Data-Subject rights — taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests to exercise Data-Subject rights (the Service provides self-service export, rectification, withdrawal, and deletion tools). If a request reaches Holicow directly, Holicow will, without undue delay, forward it to the Controller and not respond except on the Controller's instruction or as legally required.
  6. Assistance with Articles 32–36 — assist the Controller in ensuring security, notifying personal data breaches, conducting data-protection impact assessments, and consulting supervisory authorities, taking into account the information available to Holicow.
  7. Breach notification — notify the Controller without undue delay and, where feasible, within 72 hours after confirming a personal data breach affecting Directory Data, providing the information then reasonably available (the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed).
  8. Deletion or return — at the Controller's choice, delete or return all Directory Data after the end of the provision of the Service, and delete existing copies unless applicable law requires storage, in accordance with the retention schedule in the Privacy Policy.
  9. Audits and information — make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, subject to the guardrails in Section 6.

6. Audit Guardrails

The Controller's audit right (Section 5.9 and SCC Clause 8.9) is satisfied, in the first instance, by Holicow making available its security documentation, completed security questionnaires, and any third-party reports it holds. Where that is insufficient to demonstrate compliance, the Controller may conduct an audit: on at least 30 days' prior written notice; no more than once in any 12-month period (unless required by a supervisory authority or following a personal data breach); during business hours; subject to confidentiality; in a manner that does not disrupt Holicow's operations or compromise other customers' data; and at the Controller's expense.

7. Sub-Processors

The Controller grants Holicow general written authorization to engage the Sub-Processors listed in Annex III. Holicow will: (a) impose data-protection obligations on each Sub-Processor that are no less protective than this DPA by written contract; (b) remain fully liable to the Controller for each Sub-Processor's performance; and (c) give the Controller at least 30 days' advance notice [CONFIRM notice period] of the addition or replacement of a Sub-Processor (by updating Annex III and notifying managing users), during which the Controller may object on reasonable data-protection grounds. If the parties cannot resolve a good-faith objection, the Controller may terminate the affected directory as its sole remedy.

8. International Transfers

Holicow processes Directory Data in the United States. Where the Controller's processing is subject to the GDPR, UK GDPR, or FADP and Holicow's processing of Directory Data constitutes a restricted transfer, the parties agree:

  • EU/EEA transfers — the SCCs are incorporated by reference and apply as follows:
    • Module Two (Controller → Processor) applies to the transfer from the Controller (data exporter) to Holicow (data importer).
    • Module Three (Processor → Sub-Processor) applies to onward transfers from Holicow to its Sub-Processors.
    • Clause 7 (Docking clause): applies.
    • Clause 9 (Sub-Processors): Option 2 (general written authorization), with the notice period in Section 7.
    • Clause 11 (Independent dispute resolution): the optional language does not apply. [CONFIRM]
    • Clause 17 (Governing law): the law of the EU member state in which the data exporter (Controller) is established; where the Controller is not established in the EU, the law of Ireland. [CONFIRM]
    • Clause 18 (Forum and jurisdiction): the courts of that member state (or Ireland, as applicable). [CONFIRM]
    • The technical and organizational measures referenced in Annex II satisfy Annex II of the SCCs; Annex I and Annex III of this DPA populate the corresponding SCC annexes.
  • UK transfers — the UK Addendum is incorporated and amends the SCCs for UK data (Tables 1–4 of the UK Addendum are completed in Annex IV).
  • Swiss transfers: the SCCs apply with the Swiss adaptations in Annex IV (references to the GDPR are read as the revised Swiss FADP (nFADP), in force since 1 September 2023, and the FDPIC is the competent authority). [CONFIRM with counsel]
  • DPF: where a Sub-Processor is certified under the EU-U.S. Data Privacy Framework (and the UK/Swiss extensions), Holicow may rely on that certification for transfers to that Sub-Processor in addition to or instead of the SCCs.

In the event of a conflict between the SCCs/UK Addendum and this DPA, the SCCs/UK Addendum prevail with respect to the transfer.

9. Liability and Term

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. This DPA takes effect when the Controller accepts the Agreement and continues for as long as Holicow processes Directory Data. Sections governing confidentiality, deletion/return, and liability survive termination.

Annex I — Details of Processing

A. List of Parties

  • Data exporter (Controller): the organizer that accepts the Agreement and this DPA. Contact, role, and signature are evidenced by the organizer's accepted account record and the Terms-acceptance audit log. Activities: operating a Vinyaas directory. Role: controller.
  • Data importer (Processor): Holicow LLC, 1164 Palmer Loop, Chewelah, WA 99109, USA; [email protected]. Activities: providing the Vinyaas directory platform. Role: processor.

B. Description of Transfer

  • Categories of Data Subjects: the individuals the Controller lists in its directory — members, viewers, and non-app data subjects; may include minors aged 13–17 where the directory serves a school, youth, or community purpose (see Section 4.1).
  • Categories of personal data: identifiers and contact data (name, email, phone), postal addresses, photographs, dates, and other fields the Controller configures in its directory schema.
  • Special-category data: none intended; the Controller must not configure special-category data without a lawful basis and notice to Holicow (Section 4).
  • Frequency: continuous, for the duration of the directory.
  • Nature and purpose: storage, organization, display, import/export, and transmission of Directory Data to operate the directory.
  • Retention: per the retention schedule in the Privacy Policy.
  • Onward transfers to Sub-Processors: subject matter, nature, and duration as in Annex III.

C. Competent Supervisory Authority

The supervisory authority of the EEA member state in which the Controller (data exporter) is established; or, where the Controller is not established in the EEA, the supervisory authority of the member state in which the relevant Data Subjects are located. For UK data, the UK ICO; for Swiss data, the FDPIC.

Annex II — Technical and Organizational Security Measures

Holicow maintains, at a minimum, the following measures (Article 32 / SCC Annex II):

  • Encryption: TLS (HTTPS) for all data in transit; encryption at rest for backups and object storage; one-way hashing of account passwords.
  • Access control: role-based, least-privilege access to production systems; unique accounts; multi-factor authentication for administrative access; revocation on personnel changes.
  • Pseudonymization/minimization: collection limited to data needed to provide the Service; scheduled scrubbing of incidental audit metadata.
  • Network and application security: firewalling and network isolation; secure software-development practices; input validation; dependency and vulnerability management with timely patching.
  • Logging and monitoring: audit logging of administrative and security-relevant events; monitoring and alerting.
  • Resilience and recovery: regular encrypted backups; documented restore procedures; redundancy provided by the hosting platform.
  • Personnel: confidentiality obligations and security awareness for staff with access to Directory Data.
  • Incident response: a documented breach-response process supporting the notification commitment in Section 5.7.
  • Sub-Processor management: written data-protection terms and security review of Sub-Processors (Annex III).
  • Physical security: delegated to the underlying cloud providers (Annex III), which maintain access-controlled, certified data-center facilities.

[CONFIRM: align this list with the actual production configuration before launch.]

Annex III — Sub-Processors

The Controller authorizes the following Sub-Processors. Holicow remains responsible for their performance and imposes terms no less protective than this DPA.

Sub-Processor Service / role Nature of processing Location Transfer mechanism
Apple, Inc. App Store In-App Purchase billing; push notifications (APNs) Payment processing as merchant of record; delivery of push tokens United States DPF / SCCs [CONFIRM]
Cloudflare, Inc. Object storage (R2) for files/images; CDN Storage and delivery of uploaded content United States / global edge SCCs / DPF [CONFIRM]
Amazon Web Services, Inc. Transactional email (Amazon SES) Delivery of transactional email United States SCCs / DPF [CONFIRM]
Laravel Holdings, Inc. Application hosting and database (Laravel Cloud) Hosting and storage of Directory Data United States SCCs [CONFIRM]

[CONFIRM: confirm each provider's processing region and that an executed data-processing agreement / SCCs are in place with each, before launch.]

Annex IV — UK and Swiss Transfer Elections

UK Addendum (Tables 1–4):

  • Table 1 (Parties): exporter = the Controller (organizer); importer = Holicow LLC (details in Annex I.A).
  • Table 2 (Selected SCCs): the EU SCCs as completed in this DPA, Modules Two and Three, with the elections in Section 8.
  • Table 3 (Appendix information): as set out in Annexes I, II, and III.
  • Table 4 (Ending the Addendum): the Importer may end the Addendum as set out in Section 19 of the Addendum. [CONFIRM]

Swiss adaptations: for Swiss-origin Directory Data, references in the SCCs to the GDPR are read as references to the revised Swiss FADP (nFADP), which has been in force since 1 September 2023; the competent authority is the FDPIC; and the governing law for the Swiss transfer is Swiss law. (The nFADP no longer extends data-protection rights to legal entities, so the former transitional extension does not apply.) [CONFIRM with counsel]

Contact

Data-protection enquiries and requests under this DPA:

Holicow LLC — Attn: Privacy 1164 Palmer Loop, Chewelah, Washington 99109, United States [email protected] (or privacy [at] holicow.app)